Sybaris Proving Grounds Write-Up

SUMMARY

This write-up covers the Sybaris machine from Offsec’s Proving Grounds, a Linux machine combining an anonymous FTP upload with an unauthenticated Redis instance for an unusual RCE chain.

Port 21 allowed anonymous FTP with write access to a pub directory. Port 6379 ran Redis 5.0.9 with no authentication. A malicious Redis module (a compiled shared library) was uploaded to the FTP directory, which mapped to /var/ftp/pub/ on disk. Connecting via redis-cli and issuing MODULE LOAD with the correct path loaded the module, enabling system command execution. A reverse shell payload was hosted via Python HTTP server and triggered through Redis, delivering a shell as pablo.

Privilege escalation targeted a SUID pkexec binary on an outdated kernel. The PwnKit exploit was compiled and executed on the target, spawning a root shell.

---

PATH TO FOLLOW

1. Reconnaissance & Anonymous FTP + Unauthenticated Redis Discovery
2. Malicious Module Upload via FTP
3. Redis MODULE LOAD → RCE → Reverse Shell as pablo
4. SUID pkexec Discovery on Outdated Kernel
5. PwnKit Exploit Compilation & Execution → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.